Fuzz introspector: qrexec_daemon_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 21 1 :

['send_service_refused']

0 21 handle_execute_service call site: 00042 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:1207
0 4 1 :

['fuzz_exit']

0 4 send_service_refused call site: 00036 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:779
0 0 None 2 960 handle_message_from_agent call site: 00041 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:1397
0 0 None 0 6 fuzz_libvchan_read call site: 00009 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:62
0 0 None 0 4 send_service_refused call site: 00032 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:774
0 0 None 0 0 fuzz_libvchan_read call site: 00010 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:65
0 0 None 0 0 fuzz_write call site: 00033 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:128
0 0 None 0 0 fuzz_write call site: 00034 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:131

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 fuzz_file_create [function] [call site] 00001
2 panic [function] [call site] 00002
3 fprintf [call site] 00003
3 abort [call site] 00004
1 _setjmp [call site] 00005
1 fuzz_file_destroy [function] [call site] 00006
1 handle_message_from_agent [function] [call site] 00007
2 fuzz_libvchan_recv [function] [call site] 00008
3 fuzz_libvchan_read [function] [call site] 00009
4 panic [function] [call site] 00010
4 file_input_eof [function] [call site] 00011
4 file_read [function] [call site] 00012
5 __assert_fail [call site] 00013
2 handle_vchan_error [function] [call site] 00014
3 fuzz_exit [function] [call site] 00015
4 longjmp [call site] 00016
2 sanitize_message_from_agent [function] [call site] 00017
3 fuzz_exit [function] [call site] 00018
3 fuzz_exit [function] [call site] 00019
3 fuzz_exit [function] [call site] 00020
3 fuzz_exit [function] [call site] 00021
3 fuzz_exit [function] [call site] 00022
3 fuzz_exit [function] [call site] 00023
3 fuzz_exit [function] [call site] 00024
2 fuzz_libvchan_recv [function] [call site] 00025
2 handle_vchan_error [function] [call site] 00026
2 sanitize_name [function] [call site] 00027
3 strchr [call site] 00028
2 sanitize_name [function] [call site] 00029
2 validate_request_id [function] [call site] 00030
2 send_service_refused [function] [call site] 00031
3 fuzz_libvchan_send [function] [call site] 00032
4 fuzz_write [function] [call site] 00033
5 panic [function] [call site] 00034
3 fuzz_exit [function] [call site] 00035
3 fuzz_libvchan_send [function] [call site] 00036
3 fuzz_exit [function] [call site] 00037
2 validate_service_name [function] [call site] 00038
3 sanitize_name [function] [call site] 00039
2 send_service_refused [function] [call site] 00040
2 handle_execute_service [function] [call site] 00041
3 find_policy_pending_slot [function] [call site] 00042
3 send_service_refused [function] [call site] 00043
3 fuzz_exit [function] [call site] 00044
3 atexit [call site] 00045
3 null_exit [function] [call site] 00046
4 _exit [call site] 00047
3 _exit [call site] 00048
3 handle_execute_service_child [function] [call site] 00049
4 close [call site] 00050
4 connect_daemon_socket [function] [call site] 00051
5 socket [call site] 00052
5 daemon__exit [function] [call site] 00053
6 _exit [call site] 00054
5 connect [call site] 00055
5 send_request_to_daemon [function] [call site] 00056
6 asprintf [call site] 00057
6 daemon__exit [function] [call site] 00058
6 send [call site] 00059
6 abort [call site] 00060
6 __assert_fail [call site] 00061
6 daemon__exit [function] [call site] 00062
5 qubes_read_all_to_malloc [function] [call site] 00063
6 abort [call site] 00064
6 abort [call site] 00065
6 abort [call site] 00066
6 fuzz_read [function] [call site] 00067
7 panic [function] [call site] 00068
7 file_input_eof [function] [call site] 00069
7 file_read [function] [call site] 00070
6 __errno_location [call site] 00071
6 abort [call site] 00072
6 __errno_location [call site] 00073
6 abort [call site] 00074
6 __errno_location [call site] 00075
6 realloc [call site] 00076
6 __errno_location [call site] 00077
6 close [call site] 00078
5 parse_policy_response [function] [call site] 00079
6 strlen [call site] 00080
6 strsep [call site] 00081
6 strncmp [call site] 00082
6 strcmp [call site] 00083
6 strcmp [call site] 00084
6 strncmp [call site] 00085
6 strdup [call site] 00086
6 abort [call site] 00087
6 strncmp [call site] 00088
6 strdup [call site] 00089
6 abort [call site] 00090
6 strncmp [call site] 00091
6 strcmp [call site] 00092
6 strcmp [call site] 00093
6 strncmp [call site] 00094
6 strdup [call site] 00095
6 abort [call site] 00096
6 strchr [call site] 00097
5 __assert_fail [call site] 00098
5 close [call site] 00099
5 abort [call site] 00100
5 socketpair [call site] 00101
5 daemon__exit [function] [call site] 00102
5 daemon__exit [function] [call site] 00103
5 close [call site] 00104
5 daemon__exit [function] [call site] 00105
5 dup2 [call site] 00106
5 daemon__exit [function] [call site] 00107
5 close [call site] 00108
5 abort [call site] 00109
5 snprintf [call site] 00110
5 execl [call site] 00111
5 daemon__exit [function] [call site] 00112
5 close [call site] 00113
5 abort [call site] 00114
5 qubes_read_all_to_malloc [function] [call site] 00115
5 waitpid [call site] 00116
5 daemon__exit [function] [call site] 00117
5 daemon__exit [function] [call site] 00118
5 parse_policy_response [function] [call site] 00119
4 daemon__exit [function] [call site] 00120
4 strchr [call site] 00121
4 strcmp [call site] 00122
4 strcmp [call site] 00123
4 asprintf [call site] 00124
4 daemon__exit [function] [call site] 00125
4 register_exec_func [function] [call site] 00126
5 abort [call site] 00127
4 do_exec [function] [call site] 00128
5 exec_qubes_rpc_if_requested [function] [call site] 00129
6 strncmp [call site] 00130
6 _exit [call site] 00131
6 strdup [call site] 00132
6 _exit [call site] 00133
6 strtok_r [call site] 00134
6 _exit [call site] 00135
6 strtok_r [call site] 00136
6 getenv [call site] 00137
6 execve [call site] 00138
6 __errno_location [call site] 00139
6 _exit [call site] 00140
5 execl [call site] 00141
5 _exit [call site] 00142
4 run_qrexec_to_dom0 [function] [call site] 00143
5 set_remote_domain [function] [call site] 00144
6 setenv [call site] 00145
6 abort [call site] 00146
5 connect_unix_socket_by_id [function] [call site] 00147
6 snprintf [call site] 00148
6 abort [call site] 00149
6 connect_unix_socket [function] [call site] 00150
7 socket [call site] 00151
7 snprintf [call site] 00152
7 abort [call site] 00153
7 close [call site] 00154
7 connect [call site] 00155
7 __errno_location [call site] 00156
7 close [call site] 00157
7 handle_daemon_handshake [function] [call site] 00158
8 read_all [function] [call site] 00159
9 __errno_location [call site] 00160
9 __errno_location [call site] 00161
9 __errno_location [call site] 00162
9 set_block [function] [call site] 00163
10 fcntl [call site] 00164
10 fcntl [call site] 00165
8 read_all [function] [call site] 00166
8 write_all [function] [call site] 00167
9 fuzz_write [function] [call site] 00168
9 __errno_location [call site] 00169
8 write_all [function] [call site] 00170
5 negotiate_connection_params [function] [call site] 00171
6 write_all [function] [call site] 00172
6 write_all [function] [call site] 00173
6 write_all [function] [call site] 00174
6 read_all [function] [call site] 00175
6 __assert_fail [call site] 00176
6 read_all [function] [call site] 00177
5 buffer_init [function] [call site] 00178
5 parse_qubes_rpc_command [function] [call site] 00179
6 calloc [call site] 00180
6 strchr [call site] 00181
6 memdupnul [function] [call site] 00182
6 strncmp [call site] 00183
6 strncmp [call site] 00184
6 strchr [call site] 00185
6 memchr [call site] 00186
6 memdupnul [function] [call site] 00187
6 memdupnul [function] [call site] 00188
6 strchrnul [call site] 00189
6 memdupnul [function] [call site] 00190
6 destroy_qrexec_parsed_command [function] [call site] 00191
5 wait_for_session_maybe [function] [call site] 00192
6 load_service_config_v2 [function] [call site] 00193
7 __assert_fail [call site] 00194
7 load_service_config_raw [function] [call site] 00195
8 getenv [call site] 00196
8 find_file [function] [call site] 00197
9 strchrnul [call site] 00198
9 strcpy [call site] 00199
9 lstat [call site] 00200
9 readlink [call site] 00201
9 memcmp [call site] 00202
9 memcmp [call site] 00203
9 stat [call site] 00204
9 __assert_fail [call site] 00205
9 __assert_fail [call site] 00206
9 __errno_location [call site] 00207
8 find_file [function] [call site] 00208
8 qubes_toml_config_parse [function] [call site] 00209
9 fopen [call site] 00210
9 getline [call site] 00211
9 abort [call site] 00212
9 qubes_isspace [function] [call site] 00213
9 qubes_is_key_byte [function] [call site] 00214
9 qubes_isspace [function] [call site] 00215
9 qubes_isspace [function] [call site] 00216
9 parse_toml_value [function] [call site] 00217
10 strtoull [call site] 00218
10 __errno_location [call site] 00219
10 strncmp [call site] 00220
10 strncmp [call site] 00221
10 qubes_isspace [function] [call site] 00222
9 strcmp [call site] 00223
9 toml_check_dup_key [function] [call site] 00224
9 toml_invalid_type [function] [call site] 00225
10 abort [call site] 00226
9 toml_check_dup_key [function] [call site] 00227
9 toml_invalid_type [function] [call site] 00228
9 strcmp [call site] 00229
9 toml_check_dup_key [function] [call site] 00230
9 toml_invalid_type [function] [call site] 00231
9 strcmp [call site] 00232
9 toml_check_dup_key [function] [call site] 00233
9 toml_invalid_type [function] [call site] 00234
9 strcmp [call site] 00235
9 toml_check_dup_key [function] [call site] 00236
9 toml_invalid_type [function] [call site] 00237
9 toml_value_free [function] [call site] 00238
9 fclose [call site] 00239
6 close [call site] 00240
6 exec_wait_for_session [function] [call site] 00241
7 getenv [call site] 00242
7 find_file [function] [call site] 00243
7 setenv [call site] 00244
7 execl [call site] 00245
6 _exit [call site] 00246
6 waitpid [call site] 00247
5 prepare_local_fds [function] [call site] 00248
6 abort [call site] 00249
6 sigemptyset [call site] 00250
6 sigaction [call site] 00251
6 execute_parsed_qubes_rpc_command [function] [call site] 00252
7 find_qrexec_service [function] [call site] 00253
8 __assert_fail [call site] 00254
8 getenv [call site] 00255
8 find_file [function] [call site] 00256
8 find_file [function] [call site] 00257
8 socket [call site] 00258
8 strlen [call site] 00259
8 qubes_connect [function] [call site] 00260
9 mkdtemp [call site] 00261
9 connect [call site] 00262
9 __errno_location [call site] 00263
9 __errno_location [call site] 00264
9 unlink [call site] 00265
9 rmdir [call site] 00266
9 __errno_location [call site] 00267
8 close [call site] 00268
8 strlen [call site] 00269
8 buffer_append [function] [call site] 00270
9 fuzz_exit [function] [call site] 00271
9 fuzz_exit [function] [call site] 00272
9 limited_malloc [function] [call site] 00273
10 fuzz_exit [function] [call site] 00274
10 fuzz_exit [function] [call site] 00275
9 buffer_free [function] [call site] 00276
10 limited_free [function] [call site] 00277
11 abort [call site] 00278
10 buffer_init [function] [call site] 00279
8 __assert_fail [call site] 00280
8 memcmp [call site] 00281
8 strchr [call site] 00282
8 __assert_fail [call site] 00283
8 strrchr [call site] 00284
8 strlen [call site] 00285
8 buffer_append [function] [call site] 00286
8 qubes_tcp_connect [function] [call site] 00287
9 validate_port [function] [call site] 00288
10 memcmp [call site] 00289
9 strchr [call site] 00290
9 getaddrinfo [call site] 00291
9 __assert_fail [call site] 00292
9 __assert_fail [call site] 00293
9 socket [call site] 00294
9 setsockopt [call site] 00295
9 abort [call site] 00296
9 connect [call site] 00297
9 close [call site] 00298
9 freeaddrinfo [call site] 00299
8 euidaccess [call site] 00300
7 __assert_fail [call site] 00301
7 do_fork_exec [function] [call site] 00302
8 socketpair [call site] 00303
8 socketpair [call site] 00304
8 signal [call site] 00305
8 abort [call site] 00306
8 fix_fds [function] [call site] 00307
9 _exit [call site] 00308
9 dup2 [call site] 00309
9 abort [call site] 00310
9 close [call site] 00311
8 fix_fds [function] [call site] 00312
8 abort [call site] 00313
8 close [call site] 00314
7 do_fork_exec [function] [call site] 00315
5 fuzz_libvchan_client_init_async [function] [call site] 00316
6 abort [call site] 00317
5 qubes_wait_for_vchan_connection_with_timeout [function] [call site] 00318
6 clock_gettime [call site] 00319
6 __assert_fail [call site] 00320
6 clock_gettime [call site] 00321
6 __assert_fail [call site] 00322
6 ppoll [call site] 00323
6 __errno_location [call site] 00324
6 fuzz_libvchan_wait [function] [call site] 00325
5 fuzz_libvchan_close [function] [call site] 00326
5 handshake_and_go [function] [call site] 00327
6 fuzz_libvchan_is_open [function] [call site] 00328
6 handle_agent_handshake [function] [call site] 00329
7 read_vchan_all [function] [call site] 00330
8 fuzz_libvchan_read [function] [call site] 00331
7 read_vchan_all [function] [call site] 00332
7 write_vchan_all [function] [call site] 00333
7 write_vchan_all [function] [call site] 00334
6 handle_failed_exec [function] [call site] 00335
7 fuzz_libvchan_send [function] [call site] 00336
7 send_exit_code [function] [call site] 00337
8 fuzz_libvchan_send [function] [call site] 00338
8 fuzz_libvchan_send [function] [call site] 00339
6 __assert_fail [call site] 00340
6 select_loop [function] [call site] 00341
7 qrexec_process_io [function] [call site] 00342
8 __assert_fail [call site] 00343
8 max_data_chunk_size [function] [call site] 00344
8 handle_vchan_error [function] [call site] 00345
9 fuzz_exit [function] [call site] 00346
8 sigemptyset [call site] 00347
8 set_nonblock [function] [call site] 00348
9 fcntl [call site] 00349
9 abort [call site] 00350
9 fcntl [call site] 00351
8 set_nonblock [function] [call site] 00352
8 __assert_fail [call site] 00353
8 __assert_fail [call site] 00354
8 set_nonblock [function] [call site] 00355
8 __assert_fail [call site] 00356
8 __assert_fail [call site] 00357
8 close_stdio [function] [call site] 00358
9 __errno_location [call site] 00359
9 close [call site] 00360
9 __errno_location [call site] 00361
9 set_block [function] [call site] 00362
9 close [call site] 00363
8 send_exit_code [function] [call site] 00364
8 handle_vchan_error [function] [call site] 00365
8 fuzz_libvchan_is_open [function] [call site] 00366
8 fuzz_libvchan_data_ready [function] [call site] 00367
8 buffer_len [function] [call site] 00368
8 close_stdio [function] [call site] 00369
8 buffer_len [function] [call site] 00370
8 fuzz_libvchan_buffer_space [function] [call site] 00371
8 fuzz_libvchan_fd_for_select [function] [call site] 00372
8 buffer_len [function] [call site] 00373
8 fuzz_libvchan_data_ready [function] [call site] 00374
8 ppoll [call site] 00375
8 __errno_location [call site] 00376
8 fuzz_libvchan_wait [function] [call site] 00377
8 handle_vchan_error [function] [call site] 00378
8 fuzz_libvchan_send [function] [call site] 00379
8 close_stdio [function] [call site] 00380
8 handle_remote_data_v2 [function] [call site] 00381
9 flush_client_data [function] [call site] 00382
10 buffer_len [function] [call site] 00383
10 buffer_data [function] [call site] 00384
10 fuzz_write [function] [call site] 00385
10 buffer_remove [function] [call site] 00386
11 fuzz_exit [function] [call site] 00387
11 limited_malloc [function] [call site] 00388
11 buffer_free [function] [call site] 00389
9 fuzz_libvchan_recv [function] [call site] 00390
9 read_vchan_all [function] [call site] 00391
9 do_replace_chars [function] [call site] 00392
9 write_stdin [function] [call site] 00393
10 buffer_len [function] [call site] 00394
10 buffer_append [function] [call site] 00395
10 fuzz_write [function] [call site] 00396
10 abort [call site] 00397
10 __errno_location [call site] 00398
10 buffer_append [function] [call site] 00399
9 __errno_location [call site] 00400
9 do_replace_chars [function] [call site] 00401
9 write_all [function] [call site] 00402
8 handle_vchan_error [function] [call site] 00403
8 fuzz_libvchan_send [function] [call site] 00404
8 close_stdio [function] [call site] 00405
8 fuzz_libvchan_send [function] [call site] 00406
8 close_stdio [function] [call site] 00407
8 handle_input_v2 [function] [call site] 00408
9 abort [call site] 00409
9 fuzz_libvchan_buffer_space [function] [call site] 00410
9 fuzz_read [function] [call site] 00411
9 __errno_location [call site] 00412
9 __errno_location [call site] 00413
9 fuzz_libvchan_send [function] [call site] 00414
9 write_vchan_all [function] [call site] 00415
8 handle_vchan_error [function] [call site] 00416
8 close_stdio [function] [call site] 00417
8 handle_input_v2 [function] [call site] 00418
8 handle_vchan_error [function] [call site] 00419
8 close_stderr [function] [call site] 00420
9 set_block [function] [call site] 00421
8 fuzz_libvchan_send [function] [call site] 00422
8 close_stdio [function] [call site] 00423
8 close_stdio [function] [call site] 00424
8 close_stderr [function] [call site] 00425
8 waitpid [call site] 00426
6 fuzz_libvchan_close [function] [call site] 00427
4 daemon__exit [function] [call site] 00428
4 asprintf [call site] 00429
4 daemon__exit [function] [call site] 00430
4 qrexec_execute_vm [function] [call site] 00431
5 strncmp [call site] 00432
5 qubesd_call [function] [call site] 00433
6 strlen [call site] 00434
6 strlen [call site] 00435
6 __errno_location [call site] 00436
6 __errno_location [call site] 00437
6 connect [call site] 00438
6 qubes_sendmsg_all [function] [call site] 00439
7 sendmsg [call site] 00440
7 __errno_location [call site] 00441
6 shutdown [call site] 00442
6 qubes_read_all_to_malloc [function] [call site] 00443
6 strlen [call site] 00444
6 close [call site] 00445
5 memcmp [call site] 00446
5 memcmp [call site] 00447
5 connect_unix_socket [function] [call site] 00448
5 qubesd_call [function] [call site] 00449
5 memcmp [call site] 00450
5 memcmp [call site] 00451
5 memcmp [call site] 00452
5 connect_unix_socket [function] [call site] 00453
5 negotiate_connection_params [function] [call site] 00454
5 close [call site] 00455
5 connect_unix_socket_by_id [function] [call site] 00456
5 send_service_connect [function] [call site] 00457
6 strncpy [call site] 00458
6 write_all [function] [call site] 00459
6 write_all [function] [call site] 00460
6 write_all [function] [call site] 00461
5 poll [call site] 00462
5 qubesd_call [function] [call site] 00463
4 daemon__exit [function] [call site] 00464
2 handle_vchan_error [function] [call site] 00465
2 fuzz_libvchan_recv [function] [call site] 00466
2 handle_vchan_error [function] [call site] 00467
2 sanitize_name [function] [call site] 00468
2 validate_request_id [function] [call site] 00469
2 strlen [call site] 00470
2 validate_service_name [function] [call site] 00471
2 handle_execute_service [function] [call site] 00472
2 send_service_refused [function] [call site] 00473
2 handle_connection_terminated [function] [call site] 00474
3 fuzz_libvchan_recv [function] [call site] 00475
3 handle_vchan_error [function] [call site] 00476
3 fuzz_exit [function] [call site] 00477
3 release_vchan_port [function] [call site] 00478
4 terminate_client [function] [call site] 00479
5 close [call site] 00480
1 fuzz_file_destroy [function] [call site] 00481